HIPAA Security: Complying with the HIPAA Security Rule Implementation Specifications Are You Correctly Addressing Them?

Transcription

1 HIP Security: Complying with the HIP Security ule Implementation Specifications re You Correctly ddressing Them? The Seventh National HIP Summit Monday, September 15, 2003 Tom Walsh, CISSP 6108 West 121 Street Overland Park, KS Phone:

2 Implementation Specifications re You Correctly ddressing Them? September 2003 Comprehensive, Flexible, Scalable, Technology Neutral HIP SECUITY ULE dministrative Safeguards (55%) 12 equired, 11 ddressable Physical Safeguards (24%) 4 equired, 6 ddressable Technical Safeguards (21%) 4 equirements, 5 ddressable ddressable Implementation Specifications In meeting standards that contain addressable implementation specifications, a covered entity will ultimately do one of the following: Implement one or more of the addressable implementation specifications; Implement one or more alternative security measures; Implement a combination of both; or Security ule Sections Definitions Security Standards: General ules dministrative safeguards Physical safeguards Technical safeguards Organizational requirements Policies and procedures and documentation requirements Compliance dates Not implement either an addressable implementation specification or an alternative security measure. Key Concepts Security ule isk nalysis Determines the appropriate means of compliance Does not imply that organizations are given complete discretion to make their own rules Covered entities must assess if an implementation specification is reasonable and appropriate DMINISTTIVE SFEGUDS Security Management Process isk nalysis () ssesses its own security risks Determines its risk tolerance or risk aversion isk Management () Privacy versus Security Parallels the Privacy ule except: Security ule covers only electronic protected health information (ephi) Privacy ule applies to PHI in paper, oral, and electronic form Security standards extend to the members a covered entity s workforce even if they work at home equires a minimum level of documentatio that must be retained for six years Devises, implements, and maintains appropriate security to address its business requirements 2003 Tom Walsh Consulting, LLC Page 1 of 7

3 Implementation Specifications re You Correctly ddressing Them? September 2003 DMINISTTIVE SFEGUDS (continued) Security Management Process Sanction Policy () Information System ctivity eview () Sanctions must be clearly defined; Not just a generic statement in policies ctivity eview ( Internal udit ) Procedures for reviewing audit logs, access reports, and security incident tracking reports ssigned Security esponsibility esponsibility must rest with one individual to ensure accountability typically an Information Security Officer (ISO) Large organizations may have site security coordinators working with the ISO Smaller organizations may use the Privacy Official or outsource the ISO function Security standards extend to the members of a covered entity s workforce even if they work at home Workforce Security uthorization and/or Supervision () Workforce Clearance Procedure () Termination Procedures () uthorization controls to verify the identity of the workforce member Types of background checks that will be conducted for workforce members Termination Collecting access control devices or changing door locks, etc. Information ccess Management Isolating Healthcare Clearinghouse Function () ccess authorization () ccess Establishment and Modification () Isolating Healthcare Clearinghouse Function New requirement equirement for User-based, role-based, or context-based was removed Compliance with the Privacy ule s Minimum necessary and JCHO IM standards may drive role-based access controls Security wareness and Training Security eminders () Protection from Malicious Software () Log-in Monitoring () Password Management () What is the difference between: Training, Education and wareness? What other information security content should be covered in workforce training? Security awareness training is a critical activity, regardless of an organization s size Tom Walsh Consulting, LLC Page 2 of 7

4 Implementation Specifications re You Correctly ddressing Them? September 2003 DMINISTTIVE SFEGUDS (continued) Security Incident Procedures esponse and eporting () Provides a way for users to report unusual occurrences in security or breaches to patient confidentiality Contingency Plan Data Backup Plan () Disaster ecovery Plan () Emergency Mode Operation Plan () Testing and evision Procedure () pplications and Data Criticality nalysis () Goals: Identify Contain Correct Prevent Documented procedure for the secure, off-site storage and rotation of backups Work in conjunction with Data Owners to determine the organization s ecovery Point Objective (PO) and ecovery Time Objective (TO) Evaluation Periodic review of technical controls and procedural review of the entity s security program Non-Technical review Self assessment or gap analysis Certification of systems Compliance documentation udit logs and incident reports Technical review Vulnerability scans Testing of security controls Security ule Business ssociate Contracts and Other rrangements Written Contract or Other rrangements () Identify all business associates who receive or have access to electronic PHI Tie efforts with the Privacy initiative Leverage the opportunity to establish rules for remote access for vendors to limit downstream liability 2003 Tom Walsh Consulting, LLC Page 3 of 7

5 Implementation Specifications re You Correctly ddressing Them? September 2003 PHYSICL SFEGUDS Facility ccess Controls Contingency Operations () Facility Security Plan () ccess Control and Validation Procedures () Maintenance ecords () To protect buildings, equipment, and media from natural and environmental hazards and unauthorized intrusions Track maintenance records for door lock repairs or changes Workstation Use Workstation Security Could address both in a single policy Verify workstations are located to prevent unauthorized or casual viewing Conduct a random audit of computer workstations to verify they have been updated with the latest version of virus definitions Device and Media Controls Disposal () Media e-use () ccountability () Data backup and Storage () Device added to media controls to address things such as PDs Media e-use is a new requirement; Sanitization of media (Overwriting the disk with random patterns of 1s and 0s ) Importance of a Media e-use Policy There have been many news stories about people purchasing used computers and finding sensitive and confidential information stored on the hard disks. Some people have been able to retrieve names, addresses, medical information, Social Security Numbers, and credit card numbers. Organizations must implement a strong media re-use policy to prevent these types of disclosures that could possibly lead to identity theft, the fastest growing crime in merica Tom Walsh Consulting, LLC Page 4 of 7

6 Implementation Specifications re You Correctly ddressing Them? September 2003 TECHNICL SFEGUDS ccess Control Unique User Identification () Emergency ccess Procedure () utomatic Logoff () Encryption and Decryption () Unique UserID for accountability Most important for clinical applications utomatic logoff also permits an equivalent measure to restrict access Encryption is an acceptable method of access control (data at rest) udit Controls Use risk assessment and analysis to determine the extent of audit trails Events that trigger an audit trail need to be jointly determined by the Data Owners, the Privacy and Security Officers Check with vendors on audit capability Store audit logs on a separate server System administrators should not have access to the audit logs Integrity Mechanism to uthenticate Electronic PHI () Document any integrity controls that will be employed especially for transmissions outside of the internal network to ensure the validity of the data being sent or the sender of the data Person or Entity uthentication Person or entity authentication is primarily accomplished through UserID and passwords The Security ule does not specify any password requirements Transmission Security Integrity Controls () Encryption () When electronic protected health information is transmitted from one point to another, it must be protected in a manner commensurate with the associated risk. ecognition that there is not a simple and interoperable solution to encrypting e- mail containing PHI 2003 Tom Walsh Consulting, LLC Page 5 of 7

7 Implementation Specifications re You Correctly ddressing Them? September 2003 SECUITY: BUSINESS POCESS So how much security do you really need? Security: Business Process You need a little more security than the next guy No such thing as 100% security Three factors inhibit countermeasures: 1. Costs (Direct and indirect) 2. The hassle factor (Inconvenience) easonable and appropriate an emergency measures need to be taken (due diligence) balanced security approach provides due diligence without impeding health care 3. May prevent legitimate access in Source: For the ecord: Protecting Electronic Health Information Balance Lack of adequate security results in the potential unauthorized access to confidential information. Too much security may hinder health care. The goal is to reduce (not eliminate) risks to an acceptable level based upon an organization s risk tolerance. isk Cost ESOUCES ISO 17799:2000, Code of Practice for Information Security Management NIST Special Publication 800 series: Handbook for HIP Security Implementation by Margret matayakul, Steve Lazarus, Tom Walsh, and Carolyn Hartley, which is being published by the merican Medical ssociation in October Best Practices for Compliance with the Final Security ule by Tom Walsh, published by HIMSS in the Journal of Healthcare Information Management, Volume 17, Number 3, Summer 2003 CONCLUSION The Security ule requires covered entities to apply reasonable and appropriate safeguards and controls to protect electronic protected health information (ephi) Whether required or addressable, the appropriate safeguards should be based upon an organization's risk analysis and best practices 2003 Tom Walsh Consulting, LLC Page 6 of 7

8 Implementation Specifications re You Correctly ddressing Them? September 2003 The Final HIP Security Standards (February 2003) DMINISTTIVE SFEGUDS Standards Section Implementation Specifications Security Management Process (a)(1) isk nalysis isk Management Sanction Policy Information System ctivity eview ssigned Security esponsibility (a)(2) Workforce Security (a)(3) uthorization and/or Supervision Workforce Clearance Procedure Termination Procedures Information ccess Management (a)(4) Isolating Healthcare Clearinghouse Function ccess uthorization ccess Establishment and Modification Security wareness and Training (a)(5) Security eminders Protection from Malicious Software Log-in Monitoring Password Management Security Incident Procedures (a)(6) esponse and eporting Contingency Plan (a)(7) Data Backup Plan Disaster ecovery Plan Emergency Mode Operation Plan Testing and evision Procedure pplications and Data Criticality nalysis Evaluation (a)(8) Business ssociate Contracts nd (b)(1) Written Contract or Other rrangements Other rrangements PHYSICL SFEGUDS Standards Section Implementation Specifications Facility ccess Controls (a)(1) Contingency Operations Facility Security Plan ccess Control & Validation Procedures Maintenance ecords Workstation Use (b) Workstation Security (c) Device and Media Controls (d)(1) Disposal Media e-use ccountability Data Backup and Storage TECHNICL SFEGUDS Standards Section Implementation Specifications ccess Control (a)(1) Unique User Identification Emergency ccess Procedure utomatic Logoff Encryption and Decryption udit Controls (b) Integrity (c)(1) Mechanism to uthenticate Electronic PHI Person or Entity uthentication (d) Transmission Security (e)(1) Integrity Controls Encryption OGNIZTIONL EQUIEMENTS POLICIES ND POCEDUES ND DOCUMENTTION EQUIEMENTS Legend: = equired = ddressable 2003 Tom Walsh Consulting, LLC Page 7 of 7